Posted October 28, 2008 9:45 am by with 10 comments

Tweet about this on TwitterShare on LinkedInShare on Google+Share on FacebookBuffer this page

There’s a reason why Apple’s computers and iPhone are pretty much invulnerable to outside attacks–Apple controls everything from the operating system to the hardware. It’s hard to find a vulnerability when you don’t know the "secret blend of herbs and spices."

Contrast that to Google’s approach to Android. Google’s mobile platform is made up of more than 80 different open-source components, and the hardware is manufactured by third-party providers.

Perhaps it’s no surprise that Android has already suffered its first security breach. What is surprising is that it occurred because Google simply didn’t keep track of the latest versions of the components it uses in Android.

The flaw lies within one of the open-source components used by the Android platform, say the researchers.

"The vulnerability is due to the fact Google did not use the most up-to-date versions of all these packages," the trio said.

"In other words, this particular security vulnerability that affects the G1 phone was known and fixed in the relevant software package, but Google used an older, still vulnerable version."

Fortunately, the hackers are not making the flaw public until Google has a chance to fix it, but the next hacker might not be so benevolent.

If Google wants to be a serious player in the mobile space, it has to earn our trust. Sure, the Google brand will go a long way to bring instant credibility, but that could be quickly eroded if the above becomes anything more than an isolated incident. Worse, too many flaws in Android and the tarnished reputation could spread to Google’s main brand.

  • Yes, but some would say that this is better than a closed system. I am not one of those open source advocates, however there are benefits to this platform being open.

    We are already seeing some of the troubles with such a close system with the iPhone. Limited applications allowed to be published, slow delays to release critical updates, slow updates to necessary firmwares.

  • @Matthew – some valid points for the other side of the coin. Thanks!

  • It’s unacceptable for a big company like Google to make a mistake like this. They were really irresponsible when they didn’t check the latest versions of each package they added. I hope they will focus on keeping their products secure.

    iPwner’s last blog post..Week 9 NFL Power Rankings Titans Undefeated!

  • Well Apple had this same problem when it first released the iPhone. Soooooo….

    Matthew R. Miller’s last blog post..BrightKite iPhone Application Released, I Have Invites

  • Wow, well with every new product there are flaws in the first weeks of it’s production, this called “the window period”, which is the time a product is tested within the market by end users.

    So this doesn’t come to me me as a major “awe”, nothing would come out absolutely perfect.

    Very informative article though, thank you 🙂

  • PS3

    @iPwner, I guess the answer is yes, others like Microsoft do it regularly then shut the stable door later with patches.

    At the end of the day, the consumer will voice their view with their wallet.

  • What I don’t understand is why a big name like Google can’t build their own parts way more safer from scratch and selects to use so many buggy and outdated “open source” components.

    GoScript’s last blog post..WordPress Uniquefier Plugin v3.0

  • You could say that about every screw up for every product release. Microsoft, Apple, Google, AOL, they have all had major flubs after release.

    The only thing I was trying to express in my comments is that it is not fair to pick on Google. Everyone has had their flaws, even the almighty Apple with the iPhone. There were serious bugs when 1.0 was released.

    Matthew R. Miller’s last blog post..Media Temple Review, 7 Days In

  • It seems the G1 is not doing itself any favors in competing with the iphone

  • AKarl

    Please excuse the marketing plug, but I think this is relevant to the discussion. My company, Mocana, just announced a security SDK for Google’s Android platform so that developers can build robust encryption, authentication, VPN, antivirus and antimalware features into Android Handsets. If interested, there’s more here about NanoPhone: Thanks for your indulgence.